Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Windows IT Technology

Windows 10 Themes Can Be Abused To Steal Windows Passwords (bleepingcomputer.com) 37

AmiMoJo writes: Specially crafted Windows 10 themes and theme packs can be used in 'Pass-the-Hash' attacks to steal Windows account credentials from unsuspecting users. Windows allows users to create custom themes that contain customized colors, sounds, mouse cursors, and the wallpaper that the operating system will use. Windows users can then switch between different themes as desired to change the appearance of the operating system. A theme's settings are saved under the %AppData%\Microsoft\Windows\Themes folder as a file with a .theme extension, such as 'Custom Dark.theme.' Windows themes can then be shared with other users by right-clicking on an active theme and selecting 'Save theme for sharing,' which will package the theme into a '.deskthemepack' file. These desktop theme packs can then be shared via email or as downloads on websites, and installed by double-clicking them.

This weekend security researcher Jimmy Bayne (@bohops) revealed that specially crafted Windows themes could be used to perform Pass-the-Hash attacks. Pass-the-Hash attacks are used to steal Windows login names and password hashes by tricking a user into accessing a remote SMB share that requires authentication. When trying to access the remote resource, Windows will automatically try to login to the remote system by sending the Windows user's login name and an NTLM hash of their password. In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password.

This discussion has been archived. No new comments can be posted.

Windows 10 Themes Can Be Abused To Steal Windows Passwords

Comments Filter:
  • by gweihir ( 88907 ) on Tuesday September 08, 2020 @07:18PM (#60486274)

    No surprise all that computer stuff is so insecure when the undisputed market leader does not even get basic things right...

    • Chains are only as strong as their weakest links, and an operating system has more chains on it than a slave galley. The more complicated and elaborate an OS gets, the more likely you'll find faults in it.

      Of course this is not a new problem: https://i.imgur.com/BULPmCI.gi... [imgur.com]

      • by gweihir ( 88907 )

        Indeed. And yet you can do this much, much better than MS. The only thing MS would really need to do is accept that they do not have what it takes to write a good OS and put a Linux or xBSD base below a "Windows" window manager.

    • by nashv ( 1479253 )

      They have a "certification" process for themes in place. You are supposed to use legitimate themes with a proper certification, from their app store, for example. The fact that people go an install potentially malicious themes from untrusted sources is not really the OSs fault. I mean, it's as stupid as running a malicious EXE.

      • by gweihir ( 88907 )

        They have a "certification" process for themes in place. You are supposed to use legitimate themes with a proper certification, from their app store, for example. The fact that people go an install potentially malicious themes from untrusted sources is not really the OSs fault. I mean, it's as stupid as running a malicious EXE.

        Nope. The problem is that nobody sane suspects a frigging _theme_ can compromise their system. Like nobody sane suspects a text document (well "word" document in the deranged MS world) can do it either.

      • by ufgrat ( 6245202 )

        I don't care. My system should never pass authentication credentials to an "untrusted" system without asking my permission-- and untrusted is anything not whitelisted by my DC, anything outside my current network profile, or any server I've never connected to.

    • Backwards compatibility, what- rewrite SMB again, can't break behind your face logins and loss of eye candy, and finally secure is not as important as revenue estimates. What this really means all this cyber-security stuff cannot succeed using defective products with unpatched protocols that can be flogged by GPU cards in days. That is a codeword for Corporate insecurity and risk, getting risker - not better. And none of this appliance shit and firewalling nonsense will save you. Hey, lets add electronic v
    • by MrL0G1C ( 867445 )

      And some Apple, Microsoft and Trump fanboy seems to have endless mod points and mod as troll anybody who dares criticise their idle. Sort it out Slashdot, change the algorithm so that anyone who excessively mods as troll gets mod points less and less often. It's getting silly.

      And this is indeed a really dumb vulnerability where simply put windows just dishes out your password like free candy on Halloween. I always disable windows sharing/networking because I felt MS would muck up the security again, and now

    • No, but I have installed many themes I downloaded from some website, for various applications over the years. These days I generally like to keep things vanilla, but I used to install a lot of eye candy BS. I could have easily picked up a malicious theme back when.

      • I remember many years ago, I downloaded and installed something that put a set of eyeballs on your screen, and the pupils tracked wherever your mouse cursor went. I thought it was the coolest thing ever.
  • The SMB server should send some data to the client to encrypt using the password hash as symmetrical key, all over a secured connection (diffie hellman + AES).
    If the data decrypts right, the client all is good.

    Wait, no because the password hash can't be assumed to not be public...

    I'm not a cryptographer, but this problem seems not to be straightforward.

  • Comment removed (Score:3, Informative)

    by account_deleted ( 4530225 ) on Tuesday September 08, 2020 @09:02PM (#60486540)
    Comment removed based on user account deletion
    • by AmiMoJo ( 196126 )

      All locks can be bypassed, so who cares about locking your front door?

      People who understand security know that defence in depth is what matters.

  • "We said we are now 'open'. It's your own fault for assuming what was meant by that."
  • by mysidia ( 191772 ) on Tuesday September 08, 2020 @11:24PM (#60486860)

    In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password.

    No... What the original post just described NOT PtH but is a cracking attack; basically capturing and trying to break the hash.

    In a pass the hash attack the attacker discovers the hash, and then due to a weakness in the protocol is able to pass the hash in order to authenticate without knowing what the actual password is that was hashed - - E.g. the Hash itself is good enough to authenticate, because various Windows protocols had weak authentication and sent a Hash over the network instead of the hash... Then knowing the Hash is as good as knowing the password for authentication.. That is the definition of Pass-the-Hash, and NOT the same as "Capture and crack" the hash.

  • It's just a .theme/.themepack/.desktopthemepack file which, when opened, can trigger a generic HTTP authentication prompt against a remote server. The credentials don't even need to be reversed from an NTLM hash, as it works fine with basic plaintext authentication. The user still needs to enter their credentials for this to work, so it's one potential component of a successful phish.

    Disabling NTLM won't help this issue, but blocking those filetypes at the email gateway and firewall would be prudent as a
  • ...install all kinds of junk on your computer, you may get in to trouble.

    Nothing new. Just stop adding all sorts of junk to your computer.

"Your stupidity, Allen, is simply not up to par." -- Dave Mack (mack@inco.UUCP) "Yours is." -- Allen Gwinn (allen@sulaco.sigma.com), in alt.flame

Working...